Sometimes Windows clients doesn't filter SECINFO_[UN]PROTECTED_[D|S]ACL flags before sending the security_information to the server. security_information = SECINFO_PROTECTED_DACL| SECINFO_DACL results in a NULL dacl being returned from an GetSecurityDecriptor request. This happens because posix_get_nt_acl_common() has the following logic: if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) { ... create DACL ... } I'm not sure if the logic is correct or wrong in this place (I guess it's wrong...). But what I know is that the SMB server should filter the given security_information flags before passing to the filesystem. [MS-SMB2] 3.3.5.20.3 Handling SMB2_0_INFO_SECURITY ... The server MUST ignore any flag value in the AdditionalInformation field that is not specified in section 2.2.37. Section 2.2.37 lists: OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION SACL_SECURITY_INFORMATION LABEL_SECURITY_INFORMATION ATTRIBUTE_SECURITY_INFORMATION SCOPE_SECURITY_INFORMATION BACKUP_SECURITY_INFORMATION
Created attachment 10206 [details] Possible patches for master
Created attachment 10207 [details] Possible patches for master
Actually the DACL protected bit is stored in the filesystem, along with these other flags: SACL_PROTECTED DACL_PROTECTED SACL_AUTO_INHERITED DACL_AUTO_INHERITED DACL_DEFAULTED SACL_DEFAULTED They are the same that are stored in NFSv4. And the vfs GPFS module already depends on them being passed through. Filtering out SECINFO_PROTECTED_DACL in Samba would be a step backwards.
(In reply to comment #3) > Actually the DACL protected bit is stored in the filesystem, along with these > other flags: > SACL_PROTECTED > DACL_PROTECTED > SACL_AUTO_INHERITED > DACL_AUTO_INHERITED > DACL_DEFAULTED > SACL_DEFAULTED These are the flags of security_descriptor_type, which are not filtered. > They are the same that are stored in NFSv4. > And the vfs GPFS module already depends on them being passed through. > > Filtering out SECINFO_PROTECTED_DACL in Samba would be a step backwards. The SECINFO_* flags are something else.
Created attachment 10214 [details] git-am fix for master. Just FYI - that patch looks good. Might want to add this follow-up though ?
Created attachment 10218 [details] git-am fix for 4.1.next and 4.0.next. Patch that went into master. Applies cleanly to 4.1.next, 4.0.next.
Karolin please pick for 4.1.next, 4.0.next. Thanks ! Jeremy.
Pushed to autobuild-v4-[0|1]-test.
Pushed to both branches. Closing out bug report. Thanks!